Features
A non-human identity for every agent, the tools it can reach, fine-tuned and cross-app policies, PII redaction, a replayable audit log, tuned MCPs, any OpenAPI spec as MCP tools, a never-hold-the-key zero-trust posture, and the option to self-host inside your VPC. Together they make an MCP gateway your security team will sign off on.
Agent ID
Every agent, chat assistant, and workflow gets its own non-human identity. That identity is tied to the harness it runs in, the permissions and policies it's allowed, and a real person who's responsible for it. Provision it in a click, rotate it automatically, revoke it in one motion.
Per agent, per workflow
Every agent run, chat use case, or automated workflow gets its own identity — never a shared API key or a service account everyone reuses.
Bound to a harness
Each identity is linked to the harness it runs in — Claude Code, Cursor, Mastra, a custom agent — so you always know where a call came from.
Carries its permissions & policies
The identity is the anchor. The tools it can reach and the policies that constrain them all hang off it.
A human owner
Every identity names the person responsible for it. When something looks off, there's an owner to ask — not an anonymous service account.
Permissions
Permissions are the tools you link to an identity. Those — and only those — show up in the tool list of the MCP connection that identity opens. The model can't see, discover, or call anything outside its list.
Tools, linked to an identity
Pick the exact tools an agent needs. They become the catalog its MCP connection exposes — the rest of your tooling stays invisible.
The list is all there is
The model only knows about the tools in its connection. No shadow tools, no discovery of capabilities it was never granted.
Per-identity catalogs
The same upstream server can expose a different tool list to each identity. Support's catalog isn't engineering's catalog.
Change it anytime
Add or remove a tool and the agent's connection reflects it on the next call. No redeploy, no new keys to hand out.
Policies
Permissions decide which tools. Policies decide how they can be used — fine-grained rules on a payload, or rules that depend on the state of another application entirely. The expected behavior becomes the only allowed behavior.
Payload-level rules
Constrain the arguments a tool can be called with — recipients, amounts, ranges, formats, required combinations. Most misuse simply can't be expressed.
Cross-application rules
Gate a call on the state of another app — e.g. an email recipient must not have an active Stripe subscription, or an agent may only touch records owned by the person responsible for it.
Conditional logic
Combine signals across tools and apps into a single allow-or-deny decision, evaluated on every call.
Written once, enforced every call
Express the rule once; Hodor enforces it on every request, for every agent bound to it.
PII redaction
Personal and sensitive data — names, emails, addresses, secrets, social security numbers — should never reach an AI harness or model just because a tool returned it. Hodor keeps it out. You choose what gets redacted or tokenized; we handle the rest, in flight, on every call.
Out of harnesses and models
PII is stripped before a payload ever reaches the agent or the model. The work still gets done — the data just never leaves your perimeter.
Redact or tokenize
Redact a field outright, or tokenize it so the agent can still reference and round-trip a value without ever seeing the real one.
You choose the fields
Pick what's sensitive — name, email, address, secrets, SSNs, anything. You choose what's redacted or tokenized, and Hodor handles the rest.
On the way in and out
Same control whether the model is sending arguments or reading a tool's response.
Logs
Hodor's position between your agents and your applications means every tool call and every payload flows through it. Each one is recorded with the agent identity, the arguments, the policy in force, the verdict, and the latency. The audit stands on the trail, not on trust.
Append-only audit log
Immutable, replicated within your region. Every change to a policy is itself a logged event.
Replayable decisions
Re-run any historical call against the policy that was in force at the time — or against your current policy to see what would change.
Queryable via MCP
Expose the audit log as an MCP server to your own agents, or pipe it into Datadog, Grafana, or the observability stack you already run.
Signed evidence exports
Export an engagement window as a signed evidence package — the kind of artifact a SOC 2 or DPA review actually accepts.
Fine-tune MCPs
MCP servers ship with someone else's generic schemas. Hodor lets you reshape them — rewrite tool descriptions, make loose params required, list the values a field can take — so the model understands your company's context for this specific agent or workflow.
Rewrite tool descriptions
Descriptions are what the model reads every turn. Replace vague defaults with the exact behavior and context you expect, in your own words.
Tighten parameters
Make an optional param required, set defaults, constrain types — turn a loose schema into one the model can't misuse.
List possible values
Enumerate the values a field can take so the model picks from your set instead of guessing — fewer bad calls, better grounding in your context.
Per agent, per workflow
Tune the same server differently for each agent or workflow, so every one sees a catalog shaped for its job.
OpenAPI to MCP
Point Hodor at an OpenAPI spec and it turns the whole thing into a full MCP tool list. Tools you'd normally only reach over a raw API — behind a complex agent setup just to make them safe — become Hodor tools you can scope, policy, and audit like everything else.
Spec in, tools out
Import any OpenAPI spec and Hodor generates a complete MCP tool list from it — no hand-writing a server.
Secure what was API-only
Tools you'd normally call over a raw API are now governed by the same identities, permissions, and policies as the rest of your MCP catalog.
Skip the bespoke plumbing
No more standing up a complex agent setup just to make an internal API safe to call. Hodor is the security layer.
Same controls, everywhere
Scope per identity, set payload and cross-app policies, redact PII, and audit every call — even for tools that started life as plain REST.
Zero Trust
The harness authenticates to Hodor with a Hodor key — never the credential to the application it's targeting. On every call Hodor checks the request, swaps in the real credential, and executes. Your agents never see the keys. And their allowed behavior is mapped to their expected behavior, with no extra room.
A Hodor key, not your app's
The harness holds a Hodor key. The real API keys and tokens for the apps it targets stay with Hodor and never touch the model.
Check, swap, execute
On every call Hodor validates the request against the agent's permissions and policies, swaps in the real credential, executes, and returns the result. The agent never sees the secret.
Least agency
An agent's allowed behavior is mapped to its expected behavior — the tools it should use, the way it should use them — and nothing more. No extra room to go wrong.
Audit by default
Every call is recorded with the identity, the arguments, the policy in force, and the verdict. The audit stands on the trail, not on trust.
Self-Host
Deploy the Hodor gateway inside your own VPC — credentials, audit logs, and policy evaluation never leave your network. Hodor's control plane handles the operating layer: agent identity issuance, the policy editor, and the MCP infrastructure. Every tool call passes through your gateway, is evaluated against the policies bound to the connector, and is either brokered to the underlying MCP / API or denied with a structured reason.
Gateway runtime in your VPC
Every tool call is intercepted and evaluated on your network. Nothing transits Hodor's infrastructure unless you choose the fully-managed deployment.
Credentials encrypted in your Vault
OAuth tokens, API keys, and integration secrets are encrypted at rest in your own Vault. The keys never touch Hodor.
Audit log on your storage
The append-only audit log is written to your storage — your retention rules, your residency, your exports — and can sync straight into your SIEM.
Hodor manages identity, policy, and MCP plumbing
Per-agent identity issuance, rotation, and revocation; the policy editor; connector implementations kept current with the MCP spec; releases, versioning, and the SLA on the control plane.
Bring an agent you're about to ship. Thirty minutes, your stack on the screen.
